How do I allow users to upload only certain file types to my Amazon S3 bucket?

2 minute read
0

I want to store only certain file types on my Amazon Simple Storage Service (Amazon S3) bucket. I want to limit uploads so that my bucket accepts only those file types.

Resolution

Add statements to your bucket policy that allow or deny the following actions:

  • Allow the s3:PutObject action only for objects that have the extension of the file type that you want.
  • Explicitly deny the s3:PutObject action for objects that don't have the extension of the file type that you want.
    Note: This explicit deny statement applies the file-type requirement to users with full access to your Amazon S3 resources.

For example, this bucket policy allows the s3:PutObject action to exampleuser only for objects with .jpg, .png, or .gif file extensions:

Warning: This example bucket policy includes an explicit deny statement. If a user doesn't meet the specified conditions, then even the user who sets up the bucket policy can have their access to the bucket denied. Therefore, carefully review the bucket policy before you save it. If you accidentally lock the bucket, then see I accidentally denied everyone access to my Amazon S3 bucket. How do I regain access?

{
  "Version": "2012-10-17",
  "Id": "Policy1464968545158",
  "Statement": [
    {
      "Sid": "Stmt1464968483619",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111111111111:user/exampleuser"
      },
      "Action": "s3:PutObject",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*.jpg",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*.png",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*.gif"
      ]
    },
    {
      "Sid": "Stmt1464968483619",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "NotResource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*.jpg",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*.png",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*.gif"
      ]
    }
  ]
}

Note:

  • For the first Principal value, list the Amazon Resource Names (ARNs) of the users that you want to grant upload permissions to.
  • For the Resource and NotResource values, replace DOC-EXAMPLE-BUCKET with the name of your bucket.
  • When you specify resources in the bucket policy, the bucket policy evaluation is case-sensitive. A bucket policy that denies s3:PutObject actions for NotResource arn:aws:s3:::DOC-EXAMPLE-BUCKET/*.jpg allows you to upload my_image.jpg. However, if you try to upload my_image.JPG, then Amazon S3 returns an Access Denied error.
AWS OFFICIAL
AWS OFFICIALUpdated 6 months ago
3 Comments

You can either use Object policy or AWS Identity and Access Management (IAM) Policies: You can create an IAM policy that restricts the file types for uploading. Configure the policy to the IAM user or group that need restricted access. i.e this allows only PDF files { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSpecificFileTypes", "Effect": "Deny", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::your-bucket-name/*", "Condition": { "StringNotEquals": { "s3:x-amz-meta-file-type": [ "application/pdf" ] } } } ] }

Try out this and let me us know

profile picture
replied 8 months ago

What if an object name is not <name>.extension but just name e.g. example? Is this policy just useless then? If yes, how to make this policy "stronger"?

Moti
replied 4 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 4 months ago